Ireland
GDPR enforcement action by Data Protection Authority of Ireland on 2024-10-24.
Case details
- Authority
- Data Protection Authority of Ireland
- Date
- 2024-10-24
- Controller / Processor
- Sector
- Media, Telecoms and Broadcasting
- Quoted Articles
- Art. 5 (1) a) GDPR, Art. 6 (1) a), e), f) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Irish DPA (DPC) has fined LinkedIn EUR 310 million. This decision is related to an investigation following a complaint in 2018 from the French NGO "La Quadrature Du Net". In July 2024, the DPC issued a draft decision under the GDPR cooperation mechanism under Art. 60 GDPR, to which no objections were raised.
During its investigation, the DPC found that LinkedIn had no valid legal basis for processing user data for the purposes of behavioral analysis and targeted advertising.
The DPC found that LinkedIn could not rely on Art. 6 (1) a) GDPR, as the consent of the users did not appear to be freely given, informed and unambiguous. Furthermore, according to the DPC, LinkedIn could not rely on Art. 6 (1) f) GDPR, as the interests, fundamental rights and freedoms of the users outweighed the interests of LinkedIn. The DPC also ruled that LinkedIn could not rely on Article 6 (1) b) GDPR as a legal basis.
Finally, the DPC also found that LinkedIn had not provided users with sufficient information about the data processing in accordance with Art. 13 (1) c) GDPR and Art. 14 (1) c) GDPR.
Related fines